kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
b398d16c1d
boringssl/ssl
History
David Benjamin b398d16c1d Remove SSL_check_chain and unexport CERT_PKEY flags. 
Both of these are newly-exported in OpenSSL 1.0.2, so they cannot be used by
current consumers.

This was added in upstream's 18d7158809c9722f4c6d2a8af7513577274f9b56 to
support custom selection of certificates. The intent seems to be that you
listen to cert_cb and use SSL_check_chain to lean on OpenSSL to process
signature algorithms list for you.

Unfortunately, the implementation is slightly suspect: it uses the same
function as the codepath which mutates and refers to the CERT_PKEY of the
matching type.  Some access was guarded by check_flags, but this is too
complex. Part of it is also because the matching digest is selected early and
we intend to connect this to EVP_PKEY_supports_digest so it is no longer a
property of just the key type.

Let's remove the hook for now, to unblock removing a lot of complexity. After
cleaning up this area, a function like this could be cleaner to support, but
we already have a version of this: select_certificate_cb and
ssl_early_callback_ctx.

Change-Id: I3add425b3996e5e32d4a88e14cc607b4fdaa5aec
Reviewed-on: https://boringssl-review.googlesource.com/2283
Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 22:19:24 +00:00
..
pqueue Test insertion of duplicates in pqueue_test. 2014-11-06 01:46:57 +00:00
test Add DTLS-SRTP tests. 2014-11-18 22:16:53 +00:00
CMakeLists.txt Merge the get_ssl_method hooks between TLS and SSLv3. 2014-09-30 22:58:59 +00:00
d1_both.c Remove DTLSv1_listen. 2014-11-10 22:39:24 +00:00
d1_clnt.c Remove SSL3_FLAGS_POP_BUFFER. 2014-11-10 23:59:13 +00:00
d1_enc.c Remove KSSL_DEBUG. 2014-11-04 19:35:38 +00:00
d1_lib.c Remove DTLSv1_listen. 2014-11-10 22:39:24 +00:00
d1_meth.c
d1_pkt.c Remove #if 0'd code documenting an old bug. 2014-11-10 22:45:17 +00:00
d1_srtp.c Add less dangerous versions of SRTP functions. 2014-10-27 21:58:09 +00:00
d1_srvr.c Remove psk_identity_hint from SSL_SESSION. 2014-11-10 23:59:47 +00:00
s3_both.c Remove remnant of MS SGC second ClientHello. 2014-11-04 00:25:13 +00:00
s3_cbc.c Add a few more constant-time utility functions. 2014-11-10 13:45:32 -08:00
s3_clnt.c Remove SSL_check_chain and unexport CERT_PKEY flags. 2014-11-18 22:19:24 +00:00
s3_enc.c Extended master secret support. 2014-10-24 21:19:44 +00:00
s3_lib.c Remove SSL_get_peer_signature_nid and don't compute digests for peer_key. 2014-11-18 22:18:54 +00:00
s3_meth.c Merge the get_ssl_method hooks between TLS and SSLv3. 2014-09-30 22:58:59 +00:00
s3_pkt.c Remove support for processing fragmented alerts 2014-11-13 22:58:30 +00:00
s3_srvr.c Don't resume sessions if the negotiated version doesn't match. 2014-11-13 22:05:12 +00:00
s23_clnt.c Remove some remnants of SSLv2. 2014-11-17 20:27:13 +00:00
s23_lib.c
s23_meth.c
s23_pkt.c
s23_srvr.c
ssl_algs.c
ssl_asn1.c Remove psk_identity_hint from SSL_SESSION. 2014-11-10 23:59:47 +00:00
ssl_cert.c Remove CERT_PKEY_EXPLICIT_SIGN flag. 2014-11-18 22:19:06 +00:00
ssl_ciph.c Remove client-side support for ServerKeyExchange in the RSA key exchange. 2014-11-10 23:00:09 +00:00
ssl_error.c Remove support for processing fragmented alerts 2014-11-13 22:58:30 +00:00
ssl_lib.c Remove some remnants of SSLv2. 2014-11-17 20:27:13 +00:00
ssl_locl.h Remove SSL_check_chain and unexport CERT_PKEY flags. 2014-11-18 22:19:24 +00:00
ssl_rsa.c
ssl_sess.c Remove some remnants of SSLv2. 2014-11-17 20:27:13 +00:00
ssl_stat.c
ssl_test.c Remove psk_identity_hint from SSL_SESSION. 2014-11-10 23:59:47 +00:00
ssl_txt.c Remove some remnants of SSLv2. 2014-11-17 20:27:13 +00:00
t1_enc.c Remove KSSL_DEBUG. 2014-11-04 19:35:38 +00:00
t1_lib.c Remove SSL_check_chain and unexport CERT_PKEY flags. 2014-11-18 22:19:24 +00:00
t1_reneg.c